C++：在 Windows 中监视进程创建和终止

Question

我碰巧看到了代码here的以下部分。

$Obj.ExecNotificationQueryAsync($hObj, "SELECT * FROM __InstanceCreationEvent WITHIN 0.5 WHERE TargetInstance ISA 'Win32_Process'")
$Obj.ExecNotificationQueryAsync($hObj, "SELECT * FROM __InstanceDeletionEvent WITHIN 0.5 WHERE TargetInstance ISA 'Win32_Process'")


Switch $OB.Path_.Class
            Case "__InstanceCreationEvent"
                ConsoleWrite("+~>" & _ProcessGetPath($OB.TargetInstance.ProcessID) & @CR)
            Case "__InstanceDeletionEvent"
                ConsoleWrite("!~>" & $OB.TargetInstance.ProcessID & @CR)
        EndSwitch

我使用相同的WQL 查询来监视C++ 中的进程。 C++ 中是否有类似的东西，通过它我可以知道它是创建还是终止进程。我尝试使用__CLASS，但它的输出为Win32_Process。我在MSVS2010 编码。

请帮忙。谢谢

编辑 1：添加 WQL 查询

hres = pSvc->ExecNotificationQueryAsync(
        _bstr_t("WQL"), 
        _bstr_t("SELECT * " 
            "FROM __InstanceDeletionEvent WITHIN 1 "
            "WHERE TargetInstance ISA 'Win32_Process' "), 
        WBEM_FLAG_SEND_STATUS, 
        NULL, 
        pStubSink);


     hres = pSvc->ExecNotificationQueryAsync(
        _bstr_t("WQL"), 
        _bstr_t("SELECT * " 
            "FROM __InstanceCreationEvent WITHIN 1 "
            "WHERE TargetInstance ISA 'Win32_Process'"), 
        WBEM_FLAG_SEND_STATUS, 
        NULL, 
        pStubSink);

使用上面的代码，我从 IWbemObjectSink::Indicate 方法获取进程的名称，无论是创建的还是终止的，打印到控制台中。

Answer 1

为了使用单个 WQL 语句检测进程的创建和终止，您可以像这样使用 __InstanceOperationEvent 类。

Select * From __InstanceOperationEvent Within 1 Where TargetInstance ISA  Win32_Process

然后，如果您想确定到达事件的类型（类），您必须评估 __Class 属性。

试试这个示例

HRESULT EventSink::Indicate(long lObjectCount,
                            IWbemClassObject **apObjArray)
{
    HRESULT hr = S_OK;
    _variant_t vtProp;

    for (int i = 0; i < lObjectCount; i++)
    {
        bool CreateorDel = false;
        _variant_t cn;
        hr = apObjArray[i]->Get(_bstr_t(L"__Class"), 0, &cn, 0, 0);
        if (SUCCEEDED(hr))
        {
            wstring LClassStr(cn.bstrVal);
            if (0 == LClassStr.compare(L"__InstanceDeletionEvent") )
            {
                wcout << "Deletion" << endl;
                CreateorDel = true;
            }
            else if (0 == LClassStr.compare(L"__InstanceCreationEvent"))
            {
                wcout << "Creation" << endl;
                CreateorDel = true;
            }
            else
            {
                CreateorDel = false;
                //wcout << "Modification " << endl;             
            }
        }
        VariantClear(&cn);  

        if (CreateorDel)
        {
            hr = apObjArray[i]->Get(_bstr_t(L"TargetInstance"), 0, &vtProp, 0, 0);
            if (!FAILED(hr))
            {
                IUnknown* str = vtProp;
                hr = str->QueryInterface( IID_IWbemClassObject, reinterpret_cast< void** >( &apObjArray[i] ) );
                if ( SUCCEEDED( hr ) )
                {
                    _variant_t cn;
                    hr = apObjArray[i]->Get( L"Name", 0, &cn, NULL, NULL );
                    if ( SUCCEEDED( hr ) )
                    {

                        if ((cn.vt==VT_NULL) || (cn.vt==VT_EMPTY))
                            wcout << "Name : " << ((cn.vt==VT_NULL) ? "NULL" : "EMPTY") << endl;
                        else
                            wcout << "Name : " << cn.bstrVal << endl;
                    }
                    VariantClear(&cn);              

                    hr = apObjArray[i]->Get( L"Handle", 0, &cn, NULL, NULL );
                    if ( SUCCEEDED( hr ) )
                    {
                        if ((cn.vt==VT_NULL) || (cn.vt==VT_EMPTY))
                            wcout << "Handle : " << ((cn.vt==VT_NULL) ? "NULL" : "EMPTY") << endl;
                        else
                            wcout << "Handle : " << cn.bstrVal << endl;
                    }
                    VariantClear(&cn);
                }
            }
            VariantClear(&vtProp);
        }

    }

    return WBEM_S_NO_ERROR;
}